I don't think this is all that new. I typically am on a VPN at a hotpsot (though there have been times when I wondered if someone could still access my machine).

Anyway when will the day come that someone gets hacked at Starbucks and turns around and sues them. I don't know how that would work out. I don't know if there is anything Starbucks or Tmobile can do about this (just naming the big guys here) but they certainly should try.

I don't know how many times I suggested that potentially DNS was hacked to various companies where weird things were happening....and they blew me off like I was nuts. Like there's no way DNS can be hacked. Right.

The only issue I see here is more complicated application testing and debugging. It will be harder to pinpoint errors.

I haven't thought it totally through and it's late but seems like this is a network device and should focus on network issues.

The concept of what they are doing should be done by every application however and perhaps and application framework is best suited for these things. Perhaps you could use a combination but I worry about the maintenance consequences of this.

Sunday, April 22, 2007

Working away here suddenly my printer started making noise for no apparent reason. I'm guessing someone got on my network or my machine here and they are snooping around and hit the device on that port / local IP.

I looked at IPs my machine is connected to and for no apparent reason it is connected to this IP:

Here's an interesting article on JavaScript hacks. This would apply to people going to web sites that have the attacks in the code when you download the page and the inability of various virus, malware and spybot type software figuring out that the code is actually malicious.

Ebay has a page where you can enter a whole bunch of information if you forget your password.

There is a whole host of sensitive information you have to enter on that page to get your password.

The page is only accessible via http.

Oh but they probably submit it via https you say.

So what. Let's say their DNS gets hacked someone and people set up a fake page at that address on the servers that are being rerouted to when you think you're at ebay. The only way to know you are really at ebay is hitting the page via https because the certificate applies to a specific server. Without that you can be rerouted and when you hit submit on this bogus link you just gave a hacker your secret question/answer (which you probably used in multiple places, right?), your birth date, place of birth, etc. etc.

Wednesday, April 18, 2007

I was working on a site that encodes cookies today and I was wondering why they did that. I was thinking that "hey, encoding is not the same as encrypting...are they doing this for security reasons?" Then I started thinking about it a little more - the distinction between encrypting and encoding. I did a quick search which provided a nice document that I am giving kudos to for backing up my thoughts on the technically correct purposes of encode and encrypt.

Hmm, suddenly I am getting loads of hits from Romania, China and Russia. This after a recent article I posted suggested the US as the malware capital of the world and my suggestion that the actual source of this hacking is elsewhere. I also suggested segmenting your servers for different parts of the world and known hacker countries so that hacker sources are limited to hacking their own boxes and not the rest of the boxes used by countries in the world that are not such a high percentage of Internet theives, crooks, criminals and spies (though we all have some black sheep in our family).

Here are a string of hits in a row from IPs in different parts of the world requesting things that are not on our server. They are requesting a specific URL, not an IP address so this is not a DNS problem where someone pointed a domain to our IP by mistake. I believe our DNS servers are set up correctly as I just double checked everything but my hosting company has a propensity for screwing up DNS records so will have to check that again. However given what they are requesting I assume these are a bunch of related hacked IPs, probably controlled by a command and control bot somewhere.

If you are running php and using any of the files below beware - there is probably some sort of hack in them. This attack comes from 61.62.83.165

Surprise, surprise - Taiwan.

inetnum: 61.62.0.0 - 61.62.255.255netname: SONET-NETcountry: TW

Taiwan is a big hacker source. If you're not doing business there you may want to consider blocking out IPs from this country. If you're not getting any money from Taiwan the only thing you will get is a bunch of problems.

Here are some interesting results looking up the information about this IP range:

inetnum: 156.54.0.0 - 156.54.255.255

remarks: This inetnum has been transfered as part of the ERX. It was present in both the ARIN and RIPE databases, so the information from both databases has been merged. If you are the mntner of this object, please update it to reflect the correct information.

Is this really an email domain or a dsl domain? It says ozemail but then it has dsl in the URL as well. Hopefully someone in Australia can alert this email / dsl provider to find out if this server is hacked.

Here's another web server IP address surfing our web sites. This is a search engine optimization company so chances are they are analyzing our sites to snipe content and/or copy our ranking techniques. I suggest you block this one out.